CVE-2025-36088 is a medium-severity cross-site scripting (XSS) vulnerability identified in the web graphical user interface (GUI) of the IBM Storage TS4500 Library, specifically affecting versions 1.10.00-F00, 1.11.0.0-D00, 1.11.0.1-C00, and 1.11.0.2-C00. The vulnerability is classified under CWE-79, which involves improper neutralization of input during web page generation. This flaw allows an authenticated user to inject arbitrary JavaScript code into the web interface. Because the vulnerability requires authentication and user interaction, an attacker must have valid credentials and access to the web GUI to exploit it. Once exploited, the injected script can alter the intended functionality of the web interface, potentially leading to the disclosure of sensitive information such as user credentials within a trusted session. The CVSS v3.1 base score is 5.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges, and user interaction. The scope is changed, indicating that the vulnerability affects resources beyond the initially vulnerable component. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability poses a risk primarily to administrators or users with access to the IBM TS4500 Storage Library management interface, which is used in enterprise environments for tape storage management. Exploitation could lead to session hijacking or unauthorized actions performed under the guise of a legitimate user, undermining the confidentiality and integrity of the system management operations.

For European organizations utilizing IBM Storage TS4500 Library systems, this vulnerability could lead to unauthorized disclosure of credentials and potential session hijacking within the management interface. Given that the TS4500 is typically deployed in data centers and enterprises for archival and backup storage, compromise of the management GUI could allow attackers to manipulate storage operations or gain further foothold in the network. This could disrupt backup and archival processes, impacting data availability indirectly. Confidentiality is at risk due to possible credential theft, and integrity could be compromised if attackers alter system configurations or data management tasks. The requirement for authentication limits the threat to insiders or attackers who have already gained some level of access, but the potential for lateral movement and privilege escalation remains significant. European organizations with strict data protection regulations (e.g., GDPR) could face compliance issues if such a breach leads to unauthorized data exposure. The medium severity suggests a moderate but non-trivial risk that should be addressed promptly to prevent escalation.

1. Restrict access to the IBM TS4500 web GUI strictly to trusted administrators and secure the management network segment using network segmentation and firewall rules. 2. Implement strong authentication mechanisms, including multi-factor authentication (MFA), to reduce the risk of credential compromise. 3. Monitor and audit access logs for unusual or unauthorized activities on the management interface. 4. Apply input validation and output encoding on all user-supplied data in the web GUI to prevent script injection; although no patch is currently linked, coordinate with IBM for timely updates or workarounds. 5. Consider deploying web application firewalls (WAFs) that can detect and block XSS payloads targeting the management interface. 6. Educate administrators about the risks of XSS and the importance of logging out after sessions to reduce session hijacking risks. 7. Regularly review and update credentials and limit privileges to the minimum necessary for management tasks. 8. If possible, isolate the management interface from general user networks and restrict access to specific IP addresses or VPN connections.